Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

[Osvaldo Campos M. - Administrador Red STI]

Sorry, but I don't understand very well.   
  
For that you understand our "scenario", we have an LDAP server with 
users that are all in oneself branch. All these users have the attribute 
"PostOfficeBox". We will use this attribute as the group attribute(i.e., 
to makes the difference between user's types). For example, if 
PostOfficeBox=00000001 then the user belongs to Sales, if 
PostOfficeBox=00000002 then the user belongs to Marketing. 

So, what we need is assign addresses to vpn users according to 
PostOfficeBox value. 
  
My config in the ldap.attrmap is something like that... (This is what 
you said??? Is correct???) 
   checkItem    $GENERIC$   radiusCheckItem   
   replyItem      $GENERIC$   radiusReplyItem   
   checkItem    vpnusers1       PostOfficeBox    #vpnusers1 and 
vpnusers2 are the ippools
   checkItem    vpnusers2       PostOfficeBox    #PostOfficeBox is the 
LDAP attribute 

In the user file...   
   DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
:=LDAPVPN1, Pool- Name :=vpnusers1   
   DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
:=LDAPVPN2, Pool-Name :=vpnusers2   
               # y.y.y.y= address of VPN Server  

In the radius.conf 
ldap vpnldap1 { 
  server = "x.x.x.x" 
  identity = "cn=Directory Manager" 
  password = ********** 
  basedn = "ou=People, dc:blah, dc=cl" 
  filter = "(&(uid=%u)(PostOfficeBox=00000001))" 
  authtype = ldap 
  set_asuth_type = yes 
} 
ldap vpnldap2 { 
  server = "x.x.x.x" 
  identity = "cn=Directory Manager" 
  password = ********** 
  basedn = "ou=People, dc:blah, dc=cl" 
  filter = "(&(uid=%u)(PostOfficeBox=00000002))" 
  authtype = ldap 
  set_asuth_type = yes 
} 
.... 
authorize { 
  files 
  Autz-Type LDAPVPN1 { 
      vpnldap1 
  } 
  Autz-Type LDAPVPN2 { 
      vpnldap2 
  } 
} 
.... 
authentication { 
  Auth-Type LDAPVPN1 { 
      vpnldap1 
  } 
  Auth-Type LDAPVPN2 { 
      vpnldap2 
  } 
} 
.... 
ippool vpnusers1 { 
  range-start    = 10.0.0.10 
  range-stop    = 10.0.0.19 
  netmask        = 255.255.255.0 
  cache-size    = 10 
  session-db    = ${raddbdir}/db.vpnusers1-session 
  ip-index        = ${raddbdir}/db.vpnusers1-index 
  override        = yes 
} 
.... 
ippool vpnusers2 { 
  range-start    = 10.0.0.20 
  range-stop    = 10.0.0.29 
  netmask        = 255.255.255.0 
  cache-size    = 10 
  session-db    = ${raddbdir}/db.vpnusers2-session 
  ip-index        = ${raddbdir}/db.vpnusers2-index 
  override        = yes 
} 

 Please help me with that, because I don't know what's wrong in my 
config. 

Thanks so much.

Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile


[EMAIL PROTECTED] escribió:
Add Pool-Name as check item with operator := to ldap.attrmap. Map it to
something like radiusPool. Add radiusPool to user profile in ldap. Add
value pool1 for radiusPool to those with attribute = 1 ...

Ivan Kalik
Kalik Informatika ISP

  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html